ADMIRER

Summary

This box has a old version of PhpMyAdmin (adminer.php) hosted on port 80, which has a known vulnerability allowing remote connections to a MySQL server and allowing to run local queries to read files. Using LFI, we can read index.php to obtain creds which allow SSH access on target. Abusing sudo with setting env_vars and python library allows for privilege escalation to root.

Last updated